Security vulnerability in 1.0.1?
sarahshuffle opened this issue · comments
We recently got a pen test done by a third party and included in the list of 'Insecure JavaScript Libraries in Use' was symbol-observable 1.0.1
I've been looking around online and can't find any evidence of this version being insecure, e.g. https://snyk.io/vuln/npm:symbol-observable
Am I looking in the wrong places or are the testers incorrect?
Thanks
No. I can say with confidence there isn't a security issue with the library. Here's all of the code involved:
index.js:
'use strict';
Object.defineProperty(exports, "__esModule", {
value: true
});
var _ponyfill = require('./ponyfill');
var _ponyfill2 = _interopRequireDefault(_ponyfill);
function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
var root = undefined; /* global window */
if (typeof global !== 'undefined') {
root = global;
} else if (typeof window !== 'undefined') {
root = window;
}
var result = (0, _ponyfill2.default)(root);
exports.default = result;ponyfill.js
'use strict';
Object.defineProperty(exports, "__esModule", {
value: true
});
exports.default = symbolObservablePonyfill;
function symbolObservablePonyfill(root) {
var result;
var _Symbol = root.Symbol;
if (typeof _Symbol === 'function') {
if (_Symbol.observable) {
result = _Symbol.observable;
} else {
result = _Symbol('observable');
_Symbol.observable = result;
}
} else {
result = '@@observable';
}
return result;
};If the pen testing folks want to put together a sample proving the vulnerability, I'd be happy to issue a patch, even for a 1.x version. haha.
I'm going to close this one for now, to prevent confusion, but if you find it's actually an issue (like if they have a reproduction or something) please do reopen or open a new issue. But this seems like they reported incorrectly.